PDF malware analysis — malicious · caa85b6415d47c5c

MALICIOUS

PDF

39.1 KB Created: 2020-08-30 06:44:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 6f7b1c9d65662b7bcb3f56ea46421cec SHA-1: 6864e2269e5c0142511d9a7deb923ef6fe4c3360 SHA-256: caa85b6415d47c5c155c1a03c1ec44b4903815c526bb1e730fab7ce52e380f4a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=bakugan+oyunlar%25C4%25B1+yeralt%25C4%25B1+sava%25C5%259F%25C4%25B1'. Additionally, another critical heuristic indicates a PDF link farm, with the first URL being 'https://cdn.shopify.com/s/files/1/0429/8627/4977/files/fairy_tail_episode_278_english_dub.pdf'. These findings suggest the document is designed to lure users to malicious infrastructure. No scripts were extracted from this sample.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/wix?keyword=bakugan+oyunlar%25C4%25B1+yeralt%25C4%25B1+sava%25C5%259F%25C4%25B1
- https://cdn.shopify.com/s/files/1/0429/8627/4977/files/fairy_tail_episode_278_english_dub.pdf
- https://cdn.shopify.com/s/files/1/0427/7692/0220/files/45128430178.pdf
- https://cdn.shopify.com/s/files/1/0433/9249/9877/files/88540670195.pdf
- https://static.usrfiles.com/ugd/ade4e6_c1a69d3b931d448e94b45b8c78cbd3ea.pdf
- https://static.usrfiles.com/ugd/b8c837_2546e85eae2d40c8a25f2d926e4e069b.pdf
- https://static.usrfiles.com/ugd/88a84f_69f6827ca4c745529d4ea14c784b0a18.pdf
- https://cdn.shopify.com/s/files/1/0429/2070/6204/files/noruzolozibafalek.pdf
- https://cdn.shopify.com/s/files/1/0438/9657/0024/files/ximiribavujuvavemuzovepid.pdf
- https://cdn.shopify.com/s/files/1/0431/0233/9232/files/ascending_order_and_descending_order_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0430/6960/4001/files/44027571116.pdf
- https://cdn.shopify.com/s/files/1/0430/7379/8298/files/tekeparefi.pdf
- https://static.usrfiles.com/ugd/52b593_ba749f414d6e4386aa9a2190337aad7b.pdf
- https://static.usrfiles.com/ugd/b8c837_3c183f253f8f4238940474038910a9e3.pdf
- https://static.usrfiles.com/ugd/c5d40f_be6681a389984af895c9aa2affc2b787.pdf
- https://static.usrfiles.com/ugd/e2f7e1_50a37178ff89479095d8b129696b209e.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004b03.bin` `c41012bac47f00e0fcc6784f7dc7624d15442178d8cfe7fc9ff6f6a9f81cc92c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4B03	5244 bytes
`font_01_sfnt_off00005c7e.bin` `1317c380d35407e9d40fdb47198ae71d918edd4a432809f37368998d5756474c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C7E	10916 bytes
`font_02_sfnt_off00007f22.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F22	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.